Financial secrecy has entered the EU AML rulebook. What comes next? 

From July 2027, obliged entities will be required to take financial secrecy risks into account in geographic risk assessments under the European Union’s anti-money laundering rules. This marks a significant development: a long-standing insight that secrecy is not incidental but central to economic crime is finally being translated into regulatory practice. The way risk is defined shapes where scrutiny is directed, which financial flows are prioritised, and ultimately whether illicit activity is detected or missed. 

The data reflects this clearly. Jurisdictions with higher levels of financial secrecy consistently present greater opportunities for illicit financial flows to be concealed, particularly where large transaction volumes intersect with weak transparency requirements. 

For years, the role of financial secrecy has been widely acknowledged but unevenly addressed. It has appeared across guidance and research, yet rarely as a structured and measurable component of risk assessment. By requiring institutions to account for it explicitly, the EU’s new framework begins to close that gap and to align regulatory expectations more closely with how illicit financial flows actually operate. 

At its core, financial secrecy is embedded in legal and regulatory systems that determine whether financial activity can be traced, scrutinised or concealed. Weak beneficial ownership transparency, barriers to information exchange, and gaps in oversight do not simply increase risk at the margins; they shape the environments in which illicit financial activity becomes possible. 

Where financial secrecy persists, it enables tax abuse, corruption and the concealment of wealth at the expense of public revenues and accountability. 

The limits of “high-risk” country classifications 

Anti-money laundering frameworks have long relied on country classifications to organise and prioritise risk, most notably through “high-risk” and “low-risk” lists and politically shaped ‘blacklists’. The term “blacklist” itself reflects a problematic and racialised framing, which sits uncomfortably with its disproportionate application to countries in the Global South. These approaches have provided a degree of operational clarity, but they have also tended to compress complex realities into rigid categories. In practice, this has meant that risk is often treated as a binary condition — something a jurisdiction either is or is not — rather than something that varies in degree and is shaped by underlying legal and institutional features. 

The effect is not only simplification, but distortion. When risk is reduced to categories, it becomes easier to overlook how similar conditions can produce similar vulnerabilities across very different jurisdictions. It also allows some risks to remain under-scrutinised, particularly where they sit outside established classifications. In practice, this has contributed to systems that generate large volumes of low-value alerts while missing higher-risk activity, with false positive rates in some cases exceeding 90 per cent. 

Recent analytical work and financial flow data raise serious concerns about the continued reliance on blacklisting as a core tool in anti-money laundering frameworks. Evidence shows that suspicious (unexplained) financial flows to and from major international financial centres — often not included on official high-risk lists — have grown significantly, while there is no evidence that flows to blacklisted jurisdictions have. 

This suggests that blacklists can be not only ineffective but actively misleading, directing attention away from where risks are most concentrated. In practice, this creates a false sense of security and reinforces biases that disproportionately target smaller or lower-income jurisdictions, while overlooking systemic risks embedded in major economies. 

This pattern reflects a broader structural issue: when risk identification is shaped by political processes rather than empirical evidence, enforcement efforts risk focusing on visibility rather than materiality. As a result, compliance systems may expend significant resources on jurisdictions with limited relevance to global illicit financial flows, while under-scrutinising the financial centres through which the largest volumes of potentially illicit capital move. This not only reduces effectiveness, but also risks discriminating against groups of citizens and entire countries. The racist origin of the term ‘blacklist’ makes it an unfortunately fitting label for a practice that is itself frequently discriminatory. 

The introduction of financial secrecy as a geographic risk factor reflects a shift towards assessing the underlying drivers of risk, rather than relying on broad country labels. It directs attention towards the specific conditions that enable opacity, opening space for more granular and proportionate assessments that allow institutions to distinguish more clearly between different levels of exposure and risk. 

This development builds on a body of work that has long argued for understanding financial secrecy as something that can be measured rather than assumed. Since its first publication in 2009, the Financial Secrecy Index has evaluated 141 jurisdictions using 20 indicators covering asset and ownership registration, legal entity transparency, tax and regulatory integrity, and international cooperation. Each jurisdiction is assigned a secrecy score on a scale from 0 to 100, allowing risk to be assessed in degrees rather than categories. 

By incorporating measurable, data-driven secrecy indicators into risk assessment, institutions are better able to distinguish between environments where financial activity can be scrutinised and those where it can more easily be concealed. The result is not only more accurate detection, but more effective use of compliance resources, including by reducing unnecessary alerts and focusing attention on higher-risk activity. 

However, understanding where risk is highest also depends on scale. 

A consistent finding across multiple data sources is that illicit financial flows and money laundering risks are highly concentrated within the global financial system. Major financial centres and advanced economies host the bulk of financial activity, and therefore also represent the primary nodes through which illicit funds are processed. 

This concentration underscores a critical point for risk assessment: evaluating risk requires not only qualitative judgments about regulatory frameworks, but also quantitative analysis of where financial flows — and therefore exposure — are greatest. 

Approaches that rely primarily on qualitative, rules-based assessments without integrating scale and volume risk overlook systemic vulnerabilities. In a context where a small number of jurisdictions account for a disproportionate share of global financial activity, treating all countries as equivalent units of analysis is neither efficient nor effective. 

A more accurate approach requires combining legal and institutional assessments with data on financial flows, investment stocks, and market size to ensure that risk prioritisation reflects real-world exposure. 

Systematically integrating quantitative dimensions into AML risk frameworks, rather than operating with discretionary risk parameters, would help shift the focus towards the ‘big nodes’ of the global financial system — where both legitimate and illicit financial activity is most concentrated. At the micro-level, large transactions should attract a relatively higher level of scrutiny than smaller ones. 

Progress that raises a wider question 

The formal recognition of financial secrecy as a core risk factor represents clear progress. It reflects a growing alignment between research, policy and regulatory practice, and it signals that more nuanced approaches to risk are both possible and necessary. 

These approaches are already embedded in established frameworks. Financial secrecy indicators form a core component of the Basel AML Index and are recommended by international law enforcement initiatives, including the FBI and the Five Eyes intelligence alliance, when assessing corruption risk. 

At the same time, it exposes a deeper question about consistency and responsibility. 

The responsibility to act on financial secrecy now sits squarely with obliged entities. Institutions are expected to integrate new data, adapt their systems, and demonstrate that their risk assessments are both effective and defensible, with increasing emphasis on transparency, documentation and board-level accountability. 

This approach is now entering a phase of formalisation. The EU Anti-Money Laundering Authority is expected to issue detailed guidance on risk factors by July 2026, following a public consultation process that will shape how financial secrecy is incorporated going forward. 

At the same time, the environments that give rise to financial secrecy are created and sustained through deliberate public policy choices. Decisions about transparency, enforcement, and international cooperation are made by governments, shaping where and how financial secrecy persists. 

Crucially, in many cases, the jurisdictions most deeply embedded in global financial secrecy are also those with the greatest influence over how risk is defined and applied. 

Recognising financial secrecy as a risk factor therefore cannot stop at the level of private sector compliance. It also requires holding public policy frameworks to the same standard, rather than limiting responsibility to the institutions managing the risks. 

If financial secrecy is to be treated as a core component of risk assessment, the same logic must be extended more widely. This means examining how domestic legal and regulatory frameworks contribute to secrecy, identifying where gaps persist, and addressing those conditions directly. It also requires a more consistent approach to how risk is understood across jurisdictions, acknowledging that existing classifications have often reflected political considerations as much as objective criteria. 

A shift towards more granular, evidence-based approaches offers an opportunity to build a more accurate picture of how financial secrecy contributes to global risk. Realising that potential will depend on how broadly and consistently this approach is carried through. 

What comes next 

The EU’s new rules demonstrate that financial secrecy can no longer be treated as a peripheral concern within anti-money laundering frameworks. They show that progress is possible when regulatory systems begin to reflect the realities of how financial flows operate. 

As these expectations begin to be put into practice, financial secrecy will increasingly shape how institutions understand and prioritise risk. The question is no longer whether it should be incorporated, but how quickly and effectively it can be integrated into existing frameworks in a way that is both workable in practice and capable of withstanding supervisory scrutiny. 

The next step is to ensure that this progress does not stop at the level of compliance. 

Applying the same standard across public policy frameworks would move the conversation from managing the effects of financial secrecy to addressing its causes. That is where the full potential of this shift lies, and where its impact will ultimately be determined. 

More detail on using financial secrecy data in anti-money laundering frameworks, including the regulatory context and available datasets, is available on our dedicated microsite.